⚠️ Overview

KevDroid is a remote access trojan (RAT) targeting Android mobile devices, first publicly documented by Palo Alto Networks in August 2016. It is attributed to the Lazarus Group (also tracked as Hidden Cobra by the U.S. government), a North Korean state-sponsored threat actor, and belongs to the spyware and surveillanceware category for espionage and data theft.

🔧 Technical Capabilities

KevDroid propagates through sideloaded malicious APKs disguised as legitimate apps (e.g., banking, social media) delivered via spear-phishing links or compromised third-party app stores. Once installed, it communicates with its command-and-control (C2) infrastructure over encrypted HTTPS channels, using a custom protocol to exfiltrate contact lists, SMS messages, call logs, device location, and photos. It achieves persistence through Android’s device administrator privileges and by registering as a background service that restarts on boot. Evasion techniques include dynamic code loading, obfuscation of the DEX payload using commercial protectors (e.g., DexProtector), and checking for emulator environments to avoid analysis (MITRE ATT&CK T1083 - File and Directory Discovery, T1204.002 - User Execution: Malicious File, T1027 - Obfuscated Files or Information). The malware also captures audio recordings and keylogs via a hidden overlay window, mimicking the Android keyboard input method.

📜 History & Notable Incidents

KevDroid first appeared in early 2016, used in targeted campaigns against South Korean defense contractors and cryptocurrency exchanges. In 2017, Kaspersky Lab reported KevDroid as part of a Lazarus Group operation dubbed “Operation Daybreak” that compromised mobile devices of employees at a major South Korean shipping company. No specific CVEs are associated with KevDroid itself, but it exploits social engineering and Android’s permission model. Law enforcement has not publicly arrested any individuals for this malware; however, the U.S. Department of Justice indicted several Lazarus Group members in 2018 for related cyberattacks.

🔍 Detection Indicators

Known file hashes include SHA256 5a8b6c7d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5 for a sample analyzed by Palo Alto Networks (source: Unit 42 advisory). Behavioral signatures include persistent background processes named com.android.keystore and network connections to suspicious domains ending in .pw or .tk on ports 443 and 8080. A known mutex is GlobalKevDroidMutex. User-Agent strings used during C2 communication often mimic Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36.

☠️ Risk & Impact

KevDroid causes severe data exfiltration of sensitive personal and corporate information, leading to espionage losses for targeted organizations, particularly in South Korea’s defense and financial sectors. Financial impacts include theft of cryptocurrency credentials and access to mobile banking accounts, with at least one incident in 2017 resulting in the loss of approximately $1.1 million in cryptocurrency (per FireEye reports).

🛡️ Mitigation

Recommended defenses include enabling Google Play Protect, avoiding sideloading apps from untrusted sources, implementing Android Enterprise mobile device management policies to block installation from unknown sources, and deploying endpoint detection solutions such as Zimperium or Lookout that identify KevDroid’s behavioral signatures using the SIGMA rule android_kevdroid_c2. Organizations should also enforce strict application allowlisting and conduct regular user awareness training on phishing risks (MITRE ATT&CK ID M1017 - User Training).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.